{"id":13861,"date":"2026-07-07T06:00:58","date_gmt":"2026-07-07T13:00:58","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13861"},"modified":"2026-07-07T04:39:35","modified_gmt":"2026-07-07T11:39:35","slug":"fake-installers-fake-reviews-fake-services-real-proxies-real-victims","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/","title":{"rendered":"Fake Installers, Fake Reviews, Fake Services &#8211; Real Proxies, Real Victims"},"content":{"rendered":"<h3>Executive Summary<\/h3>\n<p>Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access to your device\u2019s bandwidth to their own customers. Those companies\u2014proxy providers\u2014often have affiliate programs where they pay for installation of the software. Sound familiar? It\u2019s the same model as the advertising networks we often write about. Residential proxies are yet another tangled ecosystem full of buyers and sellers, with players in every shade of grey. This blog tells the story of a bad actor who operates an end-to-end malicious proxy business grounded in a collection of clever lookalike domains.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-image.jpg\" alt=\"Image\"><\/p>\n<p>Our discovery started with a single campaign: In early 2026, the actor, who we track as Lurking Lizard, fooled users into downloading a fake version of the 7-Zip archive utility. Once installed, the device was enrolled as a proxy node to be rented to residential proxy services. This malware, or proxyware, was hosted at 7zip[.]com instead of the real site, 7-zip[.]org. At the time, <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/02\/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes\" target=\"_blank\"><strong>reporting<\/strong><\/a> treated these installers as part of a one-off malware campaign; however, we linked this activity to operations dating back to at least August 2022.<\/p>\n<p>The threat actor uses trojanized software to recruit victim machines as residential proxy nodes, providing just enough functionality to appear legitimate and keep users from uninstalling it. Lookalike domains not only impersonate popular software like 7-Zip, but also several popular VPNs and services like HeroSMS, which provide access to banks of virtual phone numbers. Naturally, the actor has several generic &#8220;download\u201d domains in their portfolio. And what could go wrong with their \u201cIP address checker\u201d domains?<\/p>\n<p>Lurking Lizard even impersonates proxy services, including IPIDEA, SmartProxy, IP Royal, and 911Proxy. These lookalikes are so good, they even fooled us for a while! Take one example: smartproxy[.]org, which <a href=\"https:\/\/web.archive.org\/web\/20260613191838\/https:\/\/www.smartproxy.org\/\" target=\"_blank\"><strong>offers budget access<\/strong><\/a> to 100M residential IP addresses. Here\u2019s the kicker: that domain belongs to Lurking Lizard, not Smartproxy. In April, researchers found that smartproxy[.]org\u2019s roughly 2 million active IPV4 addresses overlapped heavily with IPIDEA\u2019s network, a major Chinese proxy provider that Google targeted with legal action in early 2026. The researchers concluded that IPIDEA was a supplier for smartproxy[.]org, either directly or indirectly. We wonder if IPIDEA knows the actor also owns ipidea[.]org?<\/p>\n<p>This actor is fully committed to the residential proxy economy. Not only do they seemingly buy and sell access to nodes, but they also have domains that appear set up to host \u201cindependent\u201d websites for proxy service reviews, including proxyreviews[.]org. We have seen the practice of self-promotion used many times in the affiliate advertising economy to drive more traffic to the website owner\u2019s scams. This is why we use the term \u201cend-to-end malicious proxy business:\u201d Lurking Lizard has a portfolio of domains that serve it all. <\/p>\n<p>In total, through DNS and infrastructure analysis, we found more than 230 domains, revealing a larger, structured operation rather than isolated malware infrastructure. Information discovered through domain registration data and related apps indicate that the actor is likely Chinese. A hardcoded IPLogger URL embedded within multiple samples enabled us to link otherwise distinct campaigns and payloads across several years, including video downloader malware and more recent WireVPN-themed variants. In parallel, shared infrastructure fingerprints, such as consistent deployment patterns, API structures, and hosting behavior, provide strong evidence of a single actor operating across multiple lures and brands. <\/p>\n<p>We are struck by the parallels between the recently exposed criminal activity in the residential proxy space and malvertising that plagues affiliate advertising. There\u2019s an obvious story: Your TV may be part of a giant botnet conducting attacks across the internet. But the real story is far more complex, and solutions are still elusive.<\/p>\n<h3>The 7-Zip Lure Was the Tip of the Iceberg<\/h3>\n<p>So how did we uncover the actor? Using a small set of published domains, we pulled on the DNS thread and pivoted across several malware samples to reveal that the campaign was significantly larger than initially reported. Rather than re-analyzing the 7-Zip lure itself, our investigation focused on what sits behind it. Specifically, we were keen to determine what other domains were actor-controlled, whether WHOIS and registrant information could reveal the culpable actor, whether the activity predated or extended beyond the initial campaign, and whether alternative lures and payloads were being used to achieve the same goal.<\/p>\n<p>This approach ultimately led us to the conclusion that the fake 7-Zip activity was one of several distribution mechanisms used by the same actor in a broader and more established operation.<\/p>\n<h3>From WHOIS to Drop-Catch<\/h3>\n<p>Our first useful pivot was WHOIS. A registrant name, \u201cCheng Li,\u201d linked the 7-Zip malware domain to a cluster of lookalike proxy service domains, revealing that the same actor controlled both the malware delivery infrastructure and the impersonated storefronts layered above it.<\/p>\n<p>The published malware domain 7zip[.]com shares a tracker code (G-2WHSTD0PXD) with bintangwarisanhotel[.]com, a domain we assessed as actor-controlled and using the likely fake registrant name, Cheng Li, in its WHOIS record. This name also appears as the registrant for smartproxy[.]org, the domain impersonating Smartproxy. Indeed, Decodo, the owner of the real Smartproxy domain, smartproxy[.]com, <a href=\"https:\/\/decodo.com\/blog\/digital-squatting-threat-global-brands#h2-decodo_case:_when_impersonators_attack\" target=\"_blank\"><strong>also called out the domain squatter<\/strong><\/a> publicly.  <\/p>\n<p>The registrant name similarities don\u2019t stop there, with shuffled variants of Cheng Li observed across multiple related domain registrations including: Li Hao Cheng, Li Cheng Liang, and Zhang Cheng Li. Their registrant emails also include further variants including Li Qiang. WHOIS also surfaced a registrant contact phone number whose country code and area code, +86 (27), place the registrant in Wuhan, China, if the details are correct.<\/p>\n<p>The fake 7-Zip domain had an unusual advantage rooted in a practice known as drop-catching: acquiring a domain when it expires to inherit its accumulated history and legitimacy (which should not be confused with the legitimate service \u201cDropCatch\u201d). In this case, the correct domain (7-zip[.]org) had been misquoted in forum posts for years (Figure 1), meaning the incorrectly referenced version (7zip[.]com) already had organic legitimacy before the actor gained ownership. A domain with a decade of search engine history is worth far more than one registered yesterday. We identified at least seven drop-catch domains acquired by Lurking Lizard, with registration dates as early as 2004. <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure1.jpg\" alt=\"Figure 1\"><\/p>\n<p class=\"image-caption\">Figure 1: Screenshot of Google search results showing historical mentions of 7zip[.]com, lending the domain perceived legitimacy<\/p>\n<p>The lookalike domains we discovered through infrastructure pivoting made it clear: this actor was dedicated to proxies and lookalike domains, but what were they doing with the proxy nodes?<\/p>\n<h3>IPLogger: The Thread That Unraveled It<\/h3>\n<p>One of the most useful early pivots came from what initially looked like a minor artifact, a hardcoded IPLogger URL found within samples associated with the 7-Zip campaign:<\/p>\n<p style=\"text-align:center\"><strong>hxxps:\/\/iplogger[.]com\/mnWD<\/strong><\/p>\n<p>At face value, IPLogger is a legitimate service that can be abused by threat actors and offers various services including URL shortening and visitor tracking. In this instance, the URL is consistent with their &#8220;informer&#8221; service and is typically used to show a visitor&#8217;s IP address on a website. Behind the scenes, this service logs visitor metadata including access timestamp, visitor IP, geolocation, device type\/browser, referrer, and user agent (Figure 2).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure2.jpg\" alt=\"Figure 2\"><\/p>\n<p class=\"image-caption\">Figure 2: Screenshot of an IPLogger log example<\/p>\n<p>While this tracking URL would typically be embedded as an image within a webpage, the actor appears to be requesting it directly from their payloads with no visible output to the user. As such, it acts as a telemetry beacon that provides the threat actor with useful victim information and allows them to use a legitimate third-party service rather than maintaining their own dedicated tracking infrastructure.<\/p>\n<p>Pivoting on this specific URL and the &#8220;\/mnWD&#8221; identifier proved to be especially valuable. The same infrastructure underpinned multiple payloads dating back to at least 2022: the fake 7-Zip installer, tools falsely claiming TikTok and YouTube download capabilities, and both early and recent WireVPN-branded samples.<\/p>\n<p>Taken together, this provides a strong link between otherwise distinct payloads and time periods, reinforcing that the fake 7-Zip campaign formed part of a broader and well-established ecosystem for acquiring victims.<\/p>\n<h3>Infrastructure Fingerprints<\/h3>\n<p>IPLogger was not the only linkage between these seemingly distinct campaigns and associated domains. We observed consistent deployment patterns across multiple lures and time periods, providing further evidence that they are associated with Lurking Lizard. For example:<\/p>\n<ul class=\"list-spacing\">\n<li>Payloads delivered via &#8220;update.&#8221; subdomains<\/li>\n<li>Directory structures typically including &#8220;\/version\/&#8221; and the use of the &#8220;Major.Minor.Build.Revision&#8221; version pattern (e.g. 1.0.1.5)<\/li>\n<li>Direct access to these hosts exposing storage bucket-style XML responses<\/li>\n<\/ul>\n<p>Using these deployment patterns, we identified additional lure domains beyond those reported in the fake 7-Zip campaign, including the WhatsApp lookalike update.whtatsapp[.]net, active in or around 2022, and more recently the WireVPN domain update.wirevpn[.]app.<\/p>\n<p>Reinforcing these findings, several domains associated with the activity implemented remarkably similar APIs, including api.betflixfree[.]net, api.isharkvpn[.]com, api.snaptik[.]io, api.wirevpn[.]app, and api.wirevpn[.]io. Despite presenting themselves as unrelated services, these hosts exposed the same endpoints, including \/client_v1\/config\/http and \/client_v1\/version\/server, along with near-identical schemas, fixed response codes and consistent data structures.<\/p>\n<p>This level of application-layer consistency is unlikely to be coincidental, especially when considered alongside our other findings.<\/p>\n<p>We identified additional supporting links at the DNS level, with registration behaviors, hosting providers, and overlapping DNS records consistently revealing clusters of domains associated with this activity.<\/p>\n<p>Taken together, these findings suggest we are not looking at a series of independent campaigns. We are looking at the repeated reuse of the same infrastructure, deployment workflow, and backend services across multiple brands and lures. The pattern stretches back to at least 2022 and continues to appear in current WireVPN-related activity.<\/p>\n<h3>WireVPN: The Current Face<\/h3>\n<p>Based on the pivots and infrastructure correlations identified earlier, the fake 7-Zip campaign has not ceased but evolved, adopting WireVPN branding.<\/p>\n<p>Even a high-level comparison of these new samples against earlier ones reveals clear continuity in tradecraft, particularly in the way their Windows-based payloads are structured and deployed. In the original 7-Zip campaign, the primary payload is named &#8220;hero.exe,\u201d alongside a service manager and update loader component named &#8220;uphero.exe,\u201d both of which are installed to &#8220;C:\\Windows\\SysWOW64\\hero&#8221; alongside supporting libraries. In the more recent samples, similar executable files named &#8220;wire.exe&#8221; and &#8220;upwire.exe&#8221; are installed to &#8220;C:\\Windows\\SysWOW64\\wire,\u201d a straightforward renaming to align with the current campaign while retaining the same underlying functionality.<\/p>\n<p>Furthermore, both exhibit the same approach to system modification and payload execution. In each case, the Windows command-line networking utility &#8220;netsh&#8221; is used to create explicit firewall rules allowing their respective binaries (such as &#8220;hero&#8221; and \u201cwire&#8221;) to communicate with the internet unimpeded. This is supported by a shared service-style execution model, where persistence is maintained through consistent registry modifications across both variants.<\/p>\n<p>Taken together, the similarities, including consistent system profiling, location checks, and anti-debugging behavior point to a shared codebase, or at a minimum, a common development model.<\/p>\n<p>During execution, we observed the newer WireVPN samples communicating with multiple subdomains across WireVPN-controlled domains, including wirevpn[.]app, wirevpn[.]cc, and wirevpn[.]io. As detailed earlier, the endpoints responding on these domains exhibit similar behavior to those on other branded domains and continue to point toward consistent or shared infrastructure.<\/p>\n<p>In addition, the malware initiated connections to several intentionally varied and benign-looking hosts, including domains such as abc.breakoursilence[.]com, bin.visitbenin[.]org, and cate.norton-com-nu16[.]com, among others. Many consistently resolve to shared backend infrastructure, typically either to the same IP addresses or within the same network ranges.<\/p>\n<h3>App Reach<\/h3>\n<p>WireVPN maintains a website offering macOS and Windows installers and links directly to its Apple App Store and Google Play listings.<\/p>\n<p>Across platforms, these applications share consistent developer attribution and infrastructure. The Windows samples were signed with a valid code signing certificate issued to WEILAI NETWORK TECHNOLOGY CO., LIMITED, a UK-registered entity (Figure 3).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure3.jpg\" alt=\"Figure 3\"><\/p>\n<p class=\"image-caption\">Figure 3: Screenshot of the User Account Control prompt for WireVPN on Windows, showing the \u201cverified publisher\u201d<\/p>\n<p>Weilai is also listed as the developer of the iOS application &#8220;WireVPN &#8211; Fast VPN &#038; Proxy&#8221; (App ID: 1615422104), (Figure 4), which specifically references the domain wirevpn[.]app as part of its support infrastructure.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure4.jpg\" alt=\"Figure 4\"><\/p>\n<p class=\"image-caption\">Figure 4: Screenshot of WireVPN\u2019s listing on the Apple App Store<\/p>\n<p>The Android application, &#8220;wirevpn \u2013 Fast Unlimited Proxy&#8221; (App ID: com.wirevpn.freevpn), (Figure 5), is published under a different entity, WIRE LTD, but similarly references the wirevpn[.]app domain within its published application details. The overlap in developer naming, branding, and infrastructure points to a single operator across platforms, not a collection of unrelated applications.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure5.jpg\" alt=\"Figure 5\"><\/p>\n<p class=\"image-caption\">Figure 5: Screenshot of WireVPN\u2019s listing on Google Play<\/p>\n<p>Publicly available metrics point to these applications having achieved substantial reach. At the time of writing, the Android application listed on Google Play reports more than 1 million downloads and over 34 thousand reviews. While we cannot independently verify these figures, and they may not directly reflect ongoing or real-world usage, they nonetheless suggest that a significant number of users have been exposed to the broader WireVPN ecosystem.<\/p>\n<p>Our analysis focused on Windows samples; we did not analyze the mobile applications and cannot determine whether they share the same underlying functionality or primarily direct users toward desktop installations.<\/p>\n<p>In the original 7-Zip campaign, victims were directed to malicious installers through tutorial content, search-driven discovery, and lookalike domains. Whether similar techniques are driving users to the current desktop variants is unclear, but the mobile applications may serve as an additional acquisition channel. Users seeking privacy or circumvention tools via app marketplaces may not realize these applications don&#8217;t always function as conventional VPN clients. As we\u2019ll explore below, observed behavior in related samples raises the possibility that participating systems contribute to a broader proxy network rather than functioning as traditional VPN endpoints.<\/p>\n<h3>Traffic Forwarding Behavior<\/h3>\n<p>To assess whether WireVPN functions as a legitimate VPN client, we captured and analyzed its network activity. The behavior differed from what a standard VPN provider might exhibit in several notable ways.<\/p>\n<p>Shortly after launch, the client issued ICMP echo (ping) requests to many globally distributed IP addresses (Figure 6).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure6.jpg\" alt=\"Figure 6\"><\/p>\n<p class=\"image-caption\">Figure 6: Screenshot showing ICMP echo (ping) responses from numerous hosts observed during initial execution of the WireVPN client<\/p>\n<p>Responses from these hosts appeared to influence the list of selectable locations presented to the user. While VPN clients commonly use latency measurements to optimize server selection, the scale and diversity of the probes suggested interaction with a broad and dynamic pool of nodes.<\/p>\n<p>The client also established connections to both WireVPN-branded and the previously discussed benign-looking hosts (Figure 7), further demonstrating that these domains remained an active component of the broader infrastructure.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure7.jpg\" alt=\"Figure 7\"><\/p>\n<p class=\"image-caption\">Figure 7: Screenshot showing TLS connections to multiple WireVPN-branded and other benign-looking hosts; all these domains are controlled by Lurking Lizard<\/p>\n<p>Rather than forming a single stable tunnel to a fixed endpoint, as would be expected of a VPN application, it appears to make multiple concurrent connections across these hosts. As discussed earlier, these domains exhibit strong infrastructure linkage through DNS records, hosting patterns, and shared backend systems, supporting the assessment that they are all controlled by Lurking Lizard.<\/p>\n<p>The traffic patterns do not match what a VPN client produces: WireVPN looks less like a privacy tool and more like an exit node for third-party traffic.<\/p>\n<p>In practical terms, this could allow affected systems to function as exit nodes, with external traffic originating from the host\u2019s IP address. Further analysis is needed to fully characterize this behavior, but it points to participation in a distributed proxy network rather than a traditional VPN service.<\/p>\n<h3>Pulling It All Together<\/h3>\n<p>The individual components described throughout this research may initially appear unrelated. However, when viewed as a whole, they reveal a coordinated ecosystem that spans victim acquisition, proxy infrastructure, marketing and monetization (Figure 8).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-figure8.jpg\" alt=\"Figure 8\"><\/p>\n<p class=\"image-caption\">Figure 8: High-level overview of the Lurking Lizard residential proxy ecosystem<\/p>\n<p>Trojanized installers, mobile applications, and other lures recruit victim devices into an actor-controlled proxy pool. That pool is then monetized through lookalike proxy service brands, while fake review sites help drive traffic to the actor&#8217;s storefronts. Supporting evidence, such as our DNS findings and the IPLogger telemetry, links activity across multiple campaigns, time periods and infrastructure.<\/p>\n<p>Rather than operating a single malware campaign, Lurking Lizard manages multiple stages of the residential proxy lifecycle for several years, from acquiring victim devices through to marketing and selling access to the resulting network. The fake 7-Zip campaign was simply the most visible manifestation of an otherwise much longer-running operation.<\/p>\n<p>We asked Ben Brundage of Synthient for his take on the relationship between Lurking Lizard and IPIDEA that was exposed earlier this year by Proxyware. He said,<\/p>\n<p>\u201cCommercial proxy services like IPIDEA scale their pools by acquiring IPs not only from publishers but also from resellers willing to sell them bandwidth. This business model is similarly adopted by smaller actors like &#8220;Lurking Lizard,&#8221; whose proxy services, such as 911proxy[.]com and smartproxy[.]org combine their own pool of compromised devices with a larger upstream provider like Kookeey or IPIDEA. This approach allows them to offer a profitable &#8220;unlimited pool&#8221; and reduce potential downtime. The broader distribution chain of backdoored apps reveals the common structure that providers or publishers use to acquire large swaths of IP space from victims, in which consent is explicitly omitted.\u201d<\/p>\n<p>This is a near perfect analogy to how malicious players in the affiliate advertising world interoperate to fuel the scourge of scams and malware. The model maximizes damage while minimizing accountability.<\/p>\n<style>\n.savy-seahorse-table {\nfont-size:14px;word-break: keep-all;}.savy-seahorse-table td:last-child, .savy-seahorse-table th:last-child {padding-right:10px;}.code-format {\/*font-family: 'Courier New';*\/}.image-caption {    font-size: 12px;margin-top:auto;}.list-spacing li{margin-bottom:20px}.img-container, .img-container-3-col {display: flex;flex-wrap: wrap;justify-content: space-between;}.img-container img {width: 49%;margin-bottom: 10px;}.img-container-3-col img {width: 30%;margin-bottom: 10px;object-fit: contain;}@media (max-width: 767px) {.img-container, .img-container-3-col {display: block;}.img-container img, .img-container-3-col img {width: 100%;}.grid-container {    grid-template-columns: 1fr!important;  }}@media (min-width: 767px) {.img-50{width:50%;}}.grid-container {  display: grid;  grid-template-columns: repeat(2, 1fr);  gap: 40px;  max-width: 800px;  margin: 0 auto;  align-items: stretch;margin-bottom: 20px;}.grid-item {   display: flex;  flex-direction: column;  justify-content: flex-start;}.grid-item img {  max-width: 100%;  height: auto;width: auto;}\n.youtube-responsive {\n  position: relative;\n  width: 100%;\n  padding-bottom: 56.25%; \/* 16:9 aspect ratio *\/\n  height: 0;\n  overflow: hidden;\n  margin-bottom: 20px;\n}\n.youtube-responsive iframe {\n  position: absolute;\n  top: 0;\n  left: 0;\n  width: 100%;\n  height: 100%;\n}\n.img-400{\nmax-width: 400px; width: 100%;\n}\n<\/style>\n<p><script>\njQuery('.single h1').html('<span class=\"gradient\">Fake Installers, Fake Reviews, Fake Services<\/span> - Real Proxies, Real Victims');\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executive Summary Residential proxies are one of the hottest topics in cybersecurity today. Turns out, they are often not in residences, and they facilitate a wide range of criminal activity. In the simplest terms, a little piece of software in a TV, digital picture frame, or your phone might enable a company to sell access [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":13872,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[30,913,1515,1738,386,1777,1524,915,1778,40],"class_list":{"0":"post-13861","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-dns","9":"tag-threat-actor","10":"tag-residential-proxy","11":"tag-proxyware","12":"tag-lookalike-domains","13":"tag-cybersquatting","14":"tag-brand-impersonation","15":"tag-rdga","16":"tag-ppi","17":"tag-threat-intelligence","18":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Proxyware actor behind fake 7-Zip is bigger than you think!<\/title>\n<meta name=\"description\" content=\"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Proxyware actor behind fake 7-Zip is bigger than you think!\" \/>\n<meta property=\"og:description\" content=\"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-07T13:00:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Proxyware actor behind fake 7-Zip is bigger than you think!\" \/>\n<meta name=\"twitter:description\" content=\"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Fake Installers, Fake Reviews, Fake Services &#8211; Real Proxies, Real Victims\",\"datePublished\":\"2026-07-07T13:00:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/\"},\"wordCount\":2945,\"publisher\":{\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/lurking-lizard-thumbnail.png\",\"keywords\":[\"DNS\",\"threat actor\",\"residential proxy\",\"proxyware\",\"lookalike domains\",\"cybersquatting\",\"brand impersonation\",\"RDGA\",\"PPI\",\"Threat Intelligence\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/\",\"name\":\"Proxyware actor behind fake 7-Zip is bigger than you think!\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/lurking-lizard-thumbnail.png\",\"datePublished\":\"2026-07-07T13:00:58+00:00\",\"description\":\"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/lurking-lizard-thumbnail.png\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/lurking-lizard-thumbnail.png\",\"width\":1200,\"height\":675},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Fake Installers, Fake Reviews, Fake Services &#8211; Real Proxies, Real Victims\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#website\",\"url\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/live-infoblox-blog.pantheonsite.io\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Proxyware actor behind fake 7-Zip is bigger than you think!","description":"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/","og_locale":"en_US","og_type":"article","og_title":"Proxyware actor behind fake 7-Zip is bigger than you think!","og_description":"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/","og_site_name":"Infoblox Blog","article_published_time":"2026-07-07T13:00:58+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png","type":"image\/png"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_title":"Proxyware actor behind fake 7-Zip is bigger than you think!","twitter_description":"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.","twitter_image":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Fake Installers, Fake Reviews, Fake Services &#8211; Real Proxies, Real Victims","datePublished":"2026-07-07T13:00:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/"},"wordCount":2945,"publisher":{"@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png","keywords":["DNS","threat actor","residential proxy","proxyware","lookalike domains","cybersquatting","brand impersonation","RDGA","PPI","Threat Intelligence"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/","name":"Proxyware actor behind fake 7-Zip is bigger than you think!","isPartOf":{"@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png","datePublished":"2026-07-07T13:00:58+00:00","description":"Learn how a threat actor runs an end-to-end residential proxy business using lookalike domains, fake software downloads, and a connection to Chinese IPIDEA.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/lurking-lizard-thumbnail.png","width":1200,"height":675},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-installers-fake-reviews-fake-services-real-proxies-real-victims\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/live-infoblox-blog.pantheonsite.io\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Fake Installers, Fake Reviews, Fake Services &#8211; Real Proxies, Real Victims"}]},{"@type":"WebSite","@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#website","url":"https:\/\/live-infoblox-blog.pantheonsite.io\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/live-infoblox-blog.pantheonsite.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#organization","name":"Infoblox","url":"https:\/\/live-infoblox-blog.pantheonsite.io\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/live-infoblox-blog.pantheonsite.io\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=13861"}],"version-history":[{"count":7,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13861\/revisions"}],"predecessor-version":[{"id":13878,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13861\/revisions\/13878"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/13872"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=13861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=13861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=13861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}